Two more patient privacy incidents made news last week.

Mountain Vista Medical Center in Mesa, Ariz., lost data cards that contained information on 2,284 endoscopy patients, the Arizona Republic reports. The search continues for memory cards that went missing from two endoscopy machines in October, according to the hospital. The information on the data cards was for patients whose procedures took place between Jan. 1, 2008 and Oct. 12, 2010.

And in a sadly ironic twist, the California Department of Public Health reported losing data for more than 2,500 facility residents, department employees and other healthcare workers to state authorities. Over the last year, the CDPH has had its hands full imposing fines on hospitals guilty of losing patient records, a fact that has not escaped department brass, which promised to "redouble" efforts to ensure information protection. 

California's lost information was stored on an unencrypted magnetic tape, and included everything from employee emails and background information on healthcare workers to the names and diagnoses of health facility residents and Social Security numbers for both employees and patients. In September, the tape was sent from a CDPH field office in West Covina to the central office in Sacramento via the U.S. Postal Service; while the envelope that was supposed to have contained the tape arrived, it was unsealed and empty, prompting an investigation. 

"Normal procedure is to encrypt those files and send them via courier for storage to save as an archive," health department spokesman Kevin Reilly told the San Gabriel Valley Tribune. "In this case, that policy was not followed and we've done a couple of things to correct that." 

In the Mountain Vista case, the compact memory cards included patient information such as names, dates of birth, ages, sex, types of procedures, dates and times of procedures, and procedure images. Social Security and credit card numbers, as well as addresses and telephone numbers were not on the data cards, according to the hospital's data incident notice.

Patients already have been notified of the incident and the hospital has offered one year of free credit monitoring services for those who may have been affected.

To prevent a repeat, hospital officials have revised security procedures related to storing compact memory data cards, modified the endoscopy machines so they no longer use compact memory data cards and retrained endoscopy unit employees on confidentiality and security procedures.

"We deeply regret the inconvenience this has caused and will do everything we can to help those who may have been affected," CEO Tony Marinello told the Arizona Republic. A Mountain Vista spokesperson added that hospital leaders have no evidence to suggest that information has been accessed or improperly used.


To learn more:
- read Mountain Vista Medical Center's notice
- see the CDPH's news release
- read the Arizona Republic's story
- here's the San Gabriel Valley Tribune article

Dan Bowman and Sandra Yin contributed to this story.

Related Articles:
California fines 7 facilities for privacy breaches
10 Egregious Patient Privacy Breaches
Confidentiality breach: Hospital sent patient records to auto shop
California expands health data breach rules
Stolen Hopkins patient info used in $600K credit card fraud
Patient records found at dump